ClawHub

Tokenrip CLI

Security checks across malware telemetry and agentic risk

Overview

This collaboration skill is mostly purpose-aligned, but it needs Review because it handles long-lived credentials, login links, share tokens, destructive actions, and self-updates with more exposure and less user-control guidance than expected.

Install only if you intend to use Tokenrip as a networked collaboration service. Treat generated share URLs, operator links, API keys, identity export blobs, and terminal output as sensitive; avoid running auth link with a visible password flag in shared shells; review self-update behavior before using rip update; and require explicit human confirmation before uploads, profile changes, team membership changes, key regeneration, or permanent deletes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (40)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes network and environment-related capabilities through the `rip` CLI and installation flow, but the manifest does not explicitly declare permissions or warn about those capabilities. This weakens reviewability and informed consent: a user may invoke a collaboration skill without realizing it can register identities, contact remote services, and use locally stored credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill's declared purpose centers on collaboration, but the content also includes identity creation/switching/export/import, auth recovery/linking, public profile updates, operator login-link generation, and self-update behavior. That mismatch is dangerous because an agent or reviewer may authorize the skill for simple file sharing while inadvertently enabling credential-bearing identity operations, account linking, and access delegation with materially higher security and privacy consequences.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The documentation says local identities are managed on the machine, then states `rip auth link` downloads a server-side keypair. Server-side possession and download of private key material materially weakens the expected trust model: compromise of the service, logs, backups, or operator access could expose agent identities and enable impersonation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The self-update path executes `npm install -g @tokenrip/cli@${targetVersion}` based on a remotely fetched manifest version, giving this collaboration tool the ability to replace its own executable code. If the update channel, package account, or manifest source is compromised, users can be driven to install attacker-controlled code with the permissions of the invoking user.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`saveSkillFile` fetches arbitrary remote content from `skillUrl` and overwrites `CONFIG_DIR/SKILL.md` without authenticity checks. Even though this is 'just' a markdown skill file, skill definitions can influence agent behavior, so a compromised manifest or hostile URL could silently replace local instructions and facilitate prompt-injection or unsafe downstream actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes substantial capabilities beyond the skill’s stated collaboration/file-sharing purpose, including identity lifecycle management, contact resolution, operator onboarding, and team administration. In an agent-skill context, this broader command surface increases the chance that an LLM-enabled agent will be induced to perform sensitive account or trust-boundary actions the user did not intend.

Context-Inappropriate Capability

Low
Confidence
98% confidence
Finding
The self-update command enables the tool to modify its own installed code, which is not necessary for the described collaboration use case. In an agent setting, self-modification is especially risky because it can change future behavior, pull unreviewed code, and undermine the trust assumptions of the original reviewed skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The self-update command performs privileged side effects beyond normal collaboration features: it installs a new global package version, updates local config, and rewrites a local SKILL.md file from remote content. While self-update functionality can be legitimate for a CLI, it materially expands the trust boundary and creates a software supply-chain risk if the manifest or referenced skill file is compromised.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
This code executes a global npm install based on a remotely fetched manifest version, which allows remote data to drive local package installation. Even though execFileSync avoids shell injection, the design still enables supply-chain compromise, privilege misuse, and unexpected system-wide modification if the update source or package registry is tampered with.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide documents permanently destructive operations like `rip asset delete` and `rip asset delete-version` without strong warnings, confirmation guidance, or safer alternatives. In an agent-facing skill, this increases the chance an autonomous agent or operator will execute irreversible deletion based on a casual instruction, causing loss of assets or version history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The thread management section includes `rip thread delete <id>` described as a hard-delete of the thread and all messages, but does not prominently warn about irreversible data loss. In a collaboration skill, this is especially risky because threads may contain shared coordination history, and an agent could delete evidence, instructions, or important context permanently.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The docs instruct users to pass credentials on the command line (`--password your-password`) and to save API keys to a config file, but omit warnings that CLI arguments may be exposed via shell history, process listings, logs, or recordings. This creates a real secret-handling risk, especially in multi-user systems, shared terminals, or agent-operated environments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest includes very broad trigger phrases such as general collaboration, sharing, and organizing requests, which can cause the skill to be selected in many ordinary contexts. Because the skill can perform networked sharing and identity-related operations, broad invocation language increases the chance of over-triggering and accidental disclosure or unintended remote actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs agents to install software, register/link identities, recover auth, and generate operator login links without prominent privacy and security warnings. These actions can create or bind persistent credentials, expose account data to a web dashboard, and generate login artifacts that grant broad visibility into inboxes, assets, contacts, and threads; without explicit warnings and consent, users may unknowingly expand access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code posts a password to the server and then stores returned long-lived secrets (`secret_key` and `api_key`) on disk, while also including the API key in success output. Even if this is expected functionality for a CLI link flow, the absence of explicit user warning/consent and the exposure of sensitive values to local config, logs, terminal history capture, or shoulder-surfing increase the risk of credential compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command emits the raw capability token directly in CLI output alongside the share URL. Capability tokens are bearer secrets, so printing them increases the chance they are exposed through terminal history, logs, screenshots, shell pipelines, CI output, or agent-to-agent transcript capture, allowing anyone who obtains the token to use the granted permissions until expiration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `threadShare` command prints the raw capability token alongside the share URL, which increases the chance the bearer token is captured in terminal history, logs, CI output, shell transcripts, or screenshots. Because this token appears to grant comment access to the thread and is embedded in a shareable workflow, exposing it directly makes accidental disclosure materially more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The configuration object can contain an `apiKey`, and `saveConfig` writes the entire config JSON directly to disk in a predictable location under the user's home directory without setting restrictive file permissions or separating secrets from non-sensitive settings. If the host is multi-user, backed up, synced, or otherwise accessible to other local processes, the API key may be exposed and reused to access the user's tokenrip account or data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The formatter prints a newly created API key directly into normal CLI output, which can expose the secret to terminal history, logs, screen recordings, or downstream tooling that captures stdout. Because API keys are bearer credentials, anyone who obtains the value may be able to authenticate as the user until the key is rotated or revoked.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The configuration display includes the full stored API key in plain text, making secret disclosure likely during routine use such as terminal sharing, screenshots, CI logs, or shell history capture. Revealing long-lived credentials in a general-purpose formatter materially increases the chance of accidental compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The auth link command accepts a password via a command-line flag, which commonly exposes secrets through shell history, process listings, logs, and audit trails. This is dangerous because operator credentials may be retrievable by other local users, monitoring tools, or incident artifacts long after use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The command prints freshly recovered or regenerated API keys directly to stdout, which can expose secrets through terminal history, shell logging, CI logs, screen recording, or other process output capture. In a collaboration/file-sharing CLI used by autonomous agents, this is more dangerous because command output may be forwarded, persisted, or shared across systems without the operator realizing a credential was disclosed.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
API key regeneration revokes the previous key and replaces it immediately, but the code does not require explicit confirmation before performing this destructive action. This can cause accidental denial of service for existing automations, agents, or integrations that still depend on the old key, which is especially relevant in an agentic collaboration platform where many connected workflows may share the credential.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The share command returns both a bearer-style capability token and a ready-to-use URL containing that token in the query string. This makes accidental disclosure more likely through terminal history, logs, screenshots, shell piping, clipboard sharing, browser history, referrer leakage, and observability systems, and the token grants access to the thread until expiry or revocation. In a collaboration CLI, this is especially risky because users are likely to paste command output into chats, tickets, or shared terminals.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The formatter prints a newly created API key directly to stdout, which can leak into terminal scrollback, logs, screenshots, CI output, or shared agent transcripts. Although showing a freshly issued secret can be operationally useful, emitting it without masking or an explicit one-time secret handling flow increases the chance of credential disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal